Why I finally decided to disable authentication with SMS

There is lots of content online that talks about how insecure two-factor authentication with SMS/text message is. Despite that, I still didn’t necessarily consider that I should opt out for good using it as an alternative method. But now I started to disable the option where possible.

It all started when a few friends told me that when they call or text me, somebody else takes the call/text.

“What?” I couldn’t believe it when I heard it. It was even worse when more and more friends pointed this out. I didn’t have call forwarding enabled to do that, but somehow the phone carrier considered doing that.

What’s particular about this glitch is that it only happened when my phone didn’t have any cellular network (airplane mode, shutdown or on the countryside with poor to none network).

Then, it occurred to me that my online accounts are tied to authentication with text messaging which could be forwarded to another person without my permission. It’s no news to me. Numerous people were hacked this way. It goes like this. An attacker calls and requests the mobile carrier to port your number, while impersonating you (the victim), to another phone number and then use that to access your accounts.

It didn’t happen this way to me, but it was pretty close. Close enough to consider and disable the option for authentication with SMS on all my accounts. You really can’t rely nowadays on phone carriers to be a secure alternative of authentication because of their inconsistency and inadequate methods of validating your identity.

What can we do?

• Disable SMS/text message or voice call as an authentication factor
• Use other provided authentication factors like hardware token (U2F keys) or software token (ex. authenticators, phone prompt)
• One of the software tokens you can use is TypingDNA Authenticator, which uses the way you type to securely authenticate you and generate the necessary verification codes right in your browser

I’m part of TypingDNA, and we build the authenticator to provide a secure and easy to use authentication alternative. Of course, all the methods above have pros and cons. You have to explore them and find which one is a good fit for you.